HoverStash
Get HoverStash
Legal

Privacy Policy

Last updated April 2026

SummaryWe store the minimum needed to manage your licence and keep HoverStash running on your device: email, masked licence key, machine fingerprint hash, and payment history. Everything you drag or convert stays on your computer.

1. Who we are

This Privacy Policy explains how [[Operator Legal Name]] (“HoverStash”, “we”, “us”, “our”), registered in England and Wales at [[Registered Address]], handles personal data when you use HoverStash.

We are the “data controller” for the purposes of UK GDPR and the Data Protection Act 2018. If you have any questions, email us at privacy@hoverstash.tech.

2. What data we collect

  • Account + licence data. Your email address, a masked version of your licence key, and an opaque hash of your machine fingerprint (SHA-256 of OS + arch + an install-time UUID — we never see your hostname or serial numbers).
  • Payment data. Processed and stored entirely by Stripe, Inc. We receive a Stripe customer id and transaction metadata (amount, currency, date, country) so we can correlate purchases with licences and issue refunds.
  • Magic-link tokens. Single-use, 15-minute-TTL tokens sent to your email to let you sign in to your dashboard without a password. Consumed on first click and deleted immediately after.
  • Technical logs. Our server keeps rolling access logs for 30 days (IP address, user agent, request path) for security + abuse-prevention. These are auto-deleted after 30 days.

We do not collect: file contents you drag or convert; filenames of anything stashed; analytics about how you use the desktop app; or any third-party tracking cookies.

3. Why we use it

Our lawful bases under UK GDPR Article 6:

  • Contract — to deliver the software you purchased, issue + validate your licence, and operate the update channel.
  • Legitimate interests — to prevent licence abuse (fraud, key-sharing beyond the 1-device policy) and to keep our servers secure.
  • Legal obligation — to keep invoices + VAT records as required by HMRC (6 years from the end of the accounting period).

4. Who we share it with

  • Stripe (US-based, UK-GDPR-compliant) — payments processor. See stripe.com/privacy.
  • Resend (US-based) — transactional email provider for magic links + receipts. See resend.com/legal/privacy-policy.
  • DigitalOcean (EU/US) — hosting infrastructure.
  • Keygen — licensing backend, self-hosted on our own DigitalOcean server in London (LON1). No third-party Keygen cloud involvement.

We do not sell your data. We do not share it with advertisers. We only disclose it to the processors above for the contractual purposes described, under written data-processing terms.

5. International transfers

Some processors (Stripe, Resend) are US-based. Transfers rely on the UK Addendum to the EU Standard Contractual Clauses plus the UK extension to the EU–US Data Privacy Framework where applicable.

6. How long we keep it

  • Licence + machine data: for the life of the licence + 2 years.
  • Invoices: 6 years (UK HMRC requirement).
  • Access logs: 30 days.
  • Magic-link tokens: 15 minutes or until first use.

7. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased where we no longer need it (subject to HMRC record-keeping on invoices).
  • Restrict or object to certain processing.
  • Port your data to another controller.
  • Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

Email privacy@hoverstash.tech and we'll respond within one month.

8. Cookies

The marketing site uses a single first-party session cookie named __Host-hs_session on the dashboard + admin subdomains, set only after you sign in. No advertising or analytics cookies are set anywhere on the site.

9. Security

All traffic is TLS 1.3. Session cookies are HttpOnly, Secure, SameSite=Lax, and scoped to their subdomain. Passwords (admin only) are hashed with argon2id. Licence files at rest on your device are AES-256-GCM sealed against your machine fingerprint.

10. Changes

If we materially change how we handle data we'll update this page and email active licence holders. The "Last updated" date at the top of this document reflects the most recent revision.